Re: Fwd: Qwery regarding Selinux Change Id context

On Wed, 2017-11-29 at 21:39 +0530, Aman Sharma wrote: > Hi Stephen, > > After enabling the unconfined module and after reboot also, Still > showing the same id context. > > Is there any way to make the id context to normal state again ?  Hmmm...try resetting all booleans too? semanage boolean

Re: Fwd: Qwery regarding Selinux Change Id context

Wed, Nov 29, 2017 at 9:50 PM, Stephen Smalley <s...@tycho.nsa.gov> > wrote: > > On Wed, 2017-11-29 at 21:39 +0530, Aman Sharma wrote: > > > Hi Stephen, > > > > > > After enabling the unconfined module and after reboot also, Still > > > showing t

Re: KASAN: slab-out-of-bounds Read in strcmp

On Mon, 2017-12-04 at 17:39 +0100, Dmitry Vyukov wrote: > On Mon, Dec 4, 2017 at 2:59 PM, Paul Moore wrote: > > > > > On 2017/12/02 3:52, syzbot wrote: > > > > > > === > > > > > > === > > > > > > BUG: KASAN:

Re: [PATCH] selinux: ensure the context is NULL terminated in security_context_to_sid_core()

On Fri, 2017-12-01 at 10:34 -0500, Paul Moore wrote: > On Thu, Nov 30, 2017 at 6:44 PM, William Roberts > wrote: > > On Thu, Nov 30, 2017 at 8:52 AM, Paul Moore > > wrote: > > > From: Paul Moore > > > > > > The syzbot/syzkaller

Re: Qwery regarding Selinux Change Id context

.c1023* > > > > > > > > *And semanage login -l is showing blank output. * > > > > > > > > *Do you have any idea about this.* > > > > > > > > *Thanks* > > > > *Aman* > > > > > > Try the sam

Re: [BUG]kernel softlockup due to sidtab_search_context run for long time because of too many sidtab context node

On Thu, 2017-12-14 at 03:19 +, yangjihong wrote: > Hello, > > >  So, does docker just keep allocating a unique category set for > > every new container, never reusing them even if the container is > > destroyed?  > >  That would be a bug in docker IMHO.  Or are you creating an > > unbounded

Re: PAM Security related issue

On Thu, 2017-12-14 at 12:48 +0530, Aman Sharma wrote: > Hi All, > > Below is the output of semanage USer command output for sftpuser: > > specialuser_u   user       s0         s0                            >  sysadm_r system_r > > and for command semanage login -l , output is : > > sftpuser   

Re: [BUG]kernel softlockup due to sidtab_search_context run for long time because of too many sidtab context node

On Thu, 2017-12-14 at 08:18 -0800, Casey Schaufler wrote: > On 12/13/2017 7:18 AM, Stephen Smalley wrote: > > On Wed, 2017-12-13 at 09:25 +, yangjihong wrote: > > > Hello,  > > > > > > I am doing stressing testing on 3.10 kernel(centos 7.4), to > &g

Re: PAM Security related issue

On Tue, 2017-12-12 at 23:47 -0500, Aman Sharma wrote: > Hi All, > > just wanted to know the meaning of line session    required    >  pam_selinux.so open env_params added in /etc/pam.d/sshd file. > Actually I am facing one issue related to this. When I changed this > env_params to restore then my

Re: [BUG]kernel softlockup due to sidtab_search_context run for long time because of too many sidtab context node

On Thu, 2017-12-14 at 09:00 -0800, Casey Schaufler wrote: > On 12/14/2017 8:42 AM, Stephen Smalley wrote: > > On Thu, 2017-12-14 at 08:18 -0800, Casey Schaufler wrote: > > > On 12/13/2017 7:18 AM, Stephen Smalley wrote: > > > > On Wed, 2017-12-13 at 09:25 +, yan

Re: Object range_transition issue when type_transition is involved

On Mon, 2017-12-18 at 17:36 +, Arnold, Paul C CTR USARMY PEO STRI (US) wrote: > All, >   > I am experiencing some issues using range_transition on objects when > type_transition is also involved on the object.  Specifically, a > range_transition rule on a target object with a "final" type

Re: [PATCH] python/semanage: make seobject.py backward compatible

On Wed, 2017-12-13 at 13:16 +0100, Petr Lautrbach wrote: > Commit 985753f changed behavior of seobject class constructors. While > semanage itself was fixed, there are other tools like > system-config-selinux and chcat which depend on the original > behavior. > This change make the constructors

Re: [BUG]kernel softlockup due to sidtab_search_context run for long time because of too many sidtab context node

On Fri, 2017-12-15 at 03:09 +, yangjihong wrote: > On 12/15/2017 10:31 PM, yangjihong wrote: > > On 12/14/2017 12:42 PM, Casey Schaufler wrote: > > > On 12/14/2017 9:15 AM, Stephen Smalley wrote: > > > > On Thu, 2017-12-14 at 09:00 -0800, Casey Schaufler wrote: &

Re: PAM Security related issue

> > On Wed, Dec 13, 2017 at 8:54 PM, Stephen Smalley <s...@tycho.nsa.gov> > wrote: > > On Tue, 2017-12-12 at 23:47 -0500, Aman Sharma wrote: > > > Hi All, > > > > > > just wanted to know the meaning of line session    required    > > >  pa

Re: [BUG]kernel softlockup due to sidtab_search_context run for long time because of too many sidtab context node

On Wed, 2017-12-13 at 09:25 +, yangjihong wrote: > Hello,  > > I am doing stressing testing on 3.10 kernel(centos 7.4), to > constantly starting numbers of docker ontainers with selinux enabled, > and after about 2 days, the kernel softlockup panic: >    [] sched_show_task+0xb8/0x120 >  []

Re: [RFC v0.1][PATCH] selinuxns: extend namespace support to security.selinux xattrs

On Mon, 2017-11-13 at 17:45 +1100, James Morris wrote: > On Tue, 31 Oct 2017, Stephen Smalley wrote: > > > This btw would be a bit cleaner if we dropped the .ns. portion of > > the > > name, such that we would have: > > security.selinux # xattr name in the init name

Re: [RFC PATCH] xfrm: fix regression introduced by xdst pcpu cache

On Wed, 2017-11-01 at 00:08 +0100, Florian Westphal wrote: > Paul Moore <p...@paul-moore.com> wrote: > > On Mon, Oct 30, 2017 at 10:58 AM, Stephen Smalley <s...@tycho.nsa.go > > v> wrote: > > > matching before (as in this patch) or after calling > > >

Re: [RFC v0.1][PATCH] selinuxns: extend namespace support to security.selinux xattrs

On Wed, 2017-11-01 at 17:40 +1100, James Morris wrote: > On Tue, 31 Oct 2017, Stephen Smalley wrote: > > > This btw would be a bit cleaner if we dropped the .ns. portion of > > the > > name, such that we would have: > > security.selinux # xattr name in the init name

Re: [RFC PATCH] xfrm: fix regression introduced by xdst pcpu cache

On Wed, 2017-11-01 at 17:39 -0400, Paul Moore wrote: > On Tue, Oct 31, 2017 at 7:08 PM, Florian Westphal <f...@strlen.de> > wrote: > > Paul Moore <p...@paul-moore.com> wrote: > > > On Mon, Oct 30, 2017 at 10:58 AM, Stephen Smalley <s...@tycho.nsa. >

Re: [PATCH] python/semanage: Do not try to reload policy when SELinux is disabled

On Thu, 2017-11-02 at 14:19 +0100, Petr Lautrbach wrote: > When SELinux is disabled, semanage without -N fails with a quite > complicated > error message when it tries to reload a new policy. Since reload in > this case > doesn't make sense, we should probably try to avoid that. I haven't looked

Re: [PATCH] python/semanage: Do not try to reload policy when SELinux is disabled

On Thu, 2017-11-02 at 15:17 +0100, Petr Lautrbach wrote: > On Thu, Nov 02, 2017 at 09:52:25AM -0400, Stephen Smalley wrote: > > On Thu, 2017-11-02 at 14:19 +0100, Petr Lautrbach wrote: > > > When SELinux is disabled, semanage without -N fails with a quite > > > complicat

Re: security_bounded_transition

e to allow apt_t to directly do anything dpkg_t can do, 2) Any files created by dpkg running under apt will be labeled according to apt_t's type transition rules rather than dpkg_t's type transition rules. This may not matter much with your default policy (I don't know) but it is generally undesirable.

Re: Qwery regarding Selinux Change Id context

hostname=10.97.7.209 > addr=10.97.7.209 terminal=ssh res=success' > > Please let me know if any comments are there. Those are normal. Check journalctl and /var/log/secure for any errors from sshd. Also try the selinuxdefcon command I mentioned. > > On Mon, Dec 4, 2017 at 9:10

Re: KASAN: slab-out-of-bounds Read in strcmp

On Sun, 2017-12-03 at 20:33 +0900, Tetsuo Handa wrote: > On 2017/12/02 3:52, syzbot wrote: > > == > > BUG: KASAN: slab-out-of-bounds in strcmp+0x96/0xb0 lib/string.c:328 > > Read of size 1 at addr 8801cd99d2c1 by task > >

Re: Qwery regarding Selinux Change Id context

On Sat, 2017-12-02 at 09:29 +0530, Aman Sharma wrote: > Hi All, > > Thanks for the information. > > But after resetting the semanage User/login, and moving the targeted > folder to old one and then install the default target. then also its > still showing the  > Id context as

Re: Qwery regarding Selinux Change Id context

at wrong in your /etc/pam.d/sshd file, so that if someone else encounters this behavior in the future, they can find a solution in the list archives? > > On Mon, Dec 4, 2017 at 9:39 PM, Stephen Smalley <s...@tycho.nsa.gov> > wrote: > > On Mon, 2017-12-04 at 21:31 +0530, Aman Sha

Re: Issue regarding Selinux

On Mon, 2017-12-04 at 21:45 +0530, Aman Sharma wrote: > Hi Stephen, > > sestatus -v > SELinux status:                 enabled > SELinuxfs mount:                /sys/fs/selinux > SELinux root directory:         /etc/selinux > Loaded policy name:             targeted > Current mode:                 

[PATCH] selinux-testsuite: inet_socket: test xfrm state selectors

; I used it to confirm that we are not getting proper xfrm state selector matching with the current xdst pcpu cache code and to test a possible fix. Signed-off-by: Stephen Smalley <s...@tycho.nsa.gov> --- tests/inet_socket/ipsec-load | 7 +-- tests/inet_socket/test

[RFC PATCH] xfrm: fix regression introduced by xdst pcpu cache

ache entry. With these changes, the selinux-testsuite passes all tests again. Fixes: ec30d78c14a813db39a647b6a348b4286ba4abf5 ("xfrm: add xdst pcpu cache") Signed-off-by: Stephen Smalley <s...@tycho.nsa.gov> --- This is an RFC because I am not entirely confident in the fix, e.g. i

Re: travis CI

On Tue, 2017-10-24 at 23:00 +0200, Nicolas Iooss wrote: > On Tue, Oct 24, 2017 at 10:20 PM, William Roberts > <bill.c.robe...@gmail.com> wrote: > > On Oct 24, 2017 13:05, "Stephen Smalley" <s...@tycho.nsa.gov> wrote: > > > > On Tue, 2017-10-24 at 09:2

Re: travis CI

On Wed, 2017-10-18 at 19:30 -0700, William Roberts wrote: > On Tue, Oct 17, 2017 at 12:50 PM, Stephen Smalley <s...@tycho.nsa.gov> > wrote: > > On Tue, 2017-10-17 at 11:49 -0700, William Roberts wrote: > > > On Sun, Oct 15, 2017 at 5:10 AM, Nicolas Iooss <nicolas.ioos

Re: travis CI

restarted the job, and it failed again in the same way (but on different cases). Then I restarted it a third time, and this time it ran to completion. This seems problematic; we likely need to reconsider any use of curl from the travis.yml file. > > > > > On Tue, Oct 24, 20

Re: [RFC v0.1][PATCH] selinuxns: extend namespace support to security.selinux xattrs

On Tue, 2017-10-31 at 14:11 +1100, James Morris wrote: > On Mon, 30 Oct 2017, Stephen Smalley wrote: > > > Thanks, interesting approach. One drawback is that it doesn't > > presently > > support any form of inheritance of labels from the parent > > namespace, so

Re: [RFC PATCH] xfrm: fix regression introduced by xdst pcpu cache

On Tue, 2017-10-31 at 12:11 +0100, Florian Westphal wrote: > Stephen Smalley <s...@tycho.nsa.gov> wrote: > > Since 4.14-rc1, the selinux-testsuite has been encountering > > sporadic > > failures during testing of labeled IPSEC. git bisect pointed to > > commit

Re: [RFC v0.1][PATCH] selinuxns: extend namespace support to security.selinux xattrs

On Tue, 2017-10-31 at 09:00 -0400, Stephen Smalley wrote: > On Tue, 2017-10-31 at 14:11 +1100, James Morris wrote: > > On Mon, 30 Oct 2017, Stephen Smalley wrote: > > > > > Thanks, interesting approach. One drawback is that it doesn't > > > presently >

Re: [RFC PATCH] xfrm: fix regression introduced by xdst pcpu cache

On Tue, 2017-10-31 at 09:43 -0400, Stephen Smalley wrote: > On Tue, 2017-10-31 at 12:11 +0100, Florian Westphal wrote: > > Stephen Smalley <s...@tycho.nsa.gov> wrote: > > > Since 4.14-rc1, the selinux-testsuite has been encountering > > > sporadic > > >

Re: [PATCH V3 1/2] security: Add a cred_getsecid hook

On Mon, 2017-10-30 at 10:57 +, Matthew Garrett via Selinux wrote: > On Thu, Oct 26, 2017 at 3:20 PM, Stephen Smalley <s...@tycho.nsa.gov> > wrote: > > On Thu, 2017-10-26 at 01:40 -0700, Matthew Garrett via Selinux > > wrote: > > > +static void selinux_cred_g

Re: [RFC v0.1][PATCH] selinuxns: extend namespace support to security.selinux xattrs

On Mon, 2017-10-30 at 21:04 +1100, James Morris wrote: > This is a proof-of-concept patch to demonstrate an approach to > supporting  > SELinux namespaces for security.selinux xattr labels. > > This follows on from the experimental SELinux namespace code posted > by  > Stephen:

Re: [PATCH] python/semanage/seobject.py: Fix undefined store check

On 05/04/2018 07:51 AM, Petr Lautrbach wrote: > From: Vit Mojzis > > self.store is always a string (actual store name or "") because of > semanageRecords.__init__. Fix check for not defined store. > > Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1559174#c3 > >

Re: [PATCH] python/semanage/seobject.py: Fix undefined store check

On 05/04/2018 04:12 PM, Petr Lautrbach wrote: > On Fri, May 04, 2018 at 01:58:08PM -0400, Stephen Smalley wrote: >> On 05/04/2018 07:51 AM, Petr Lautrbach wrote: >>> From: Vit Mojzis <vmoj...@redhat.com> >>> >>> self.store is always a string (actual store

Re: Packaging policycoreutils for OpenSUSE

On 05/13/2018 07:43 AM, Nicolas Iooss wrote: > On Sat, May 12, 2018 at 2:53 PM, Matěj Cepl wrote: >> Hi, >> >> I am changing jobs (Red Hat -> SUSE; R, but not a security >> related job), and although I will be switching my workstation to >> OpenSUSE, I would love to keep SELinux

Re: [PATCH 20/23] LSM: Move common usercopy into

On 05/10/2018 08:55 PM, Casey Schaufler wrote: > From: Casey Schaufler > Date: Thu, 10 May 2018 15:54:25 -0700 > Subject: [PATCH 20/23] LSM: Move common usercopy into > security_getpeersec_stream > > The modules implementing hook for getpeersec_stream > don't need to be

Re: [PATCH 20/23] LSM: Move common usercopy into

On 05/14/2018 11:12 AM, Stephen Smalley wrote: > On 05/10/2018 08:55 PM, Casey Schaufler wrote: >> From: Casey Schaufler <ca...@schaufler-ca.com> >> Date: Thu, 10 May 2018 15:54:25 -0700 >> Subject: [PATCH 20/23] LSM: Move common usercopy into >> security_ge

Re: [PATCH 10/23] LSM: Infrastructure management of the inode security

On 05/10/2018 08:53 PM, Casey Schaufler wrote: > From: Casey Schaufler > Date: Thu, 10 May 2018 14:23:27 -0700 > Subject: [PATCH 10/23] LSM: Infrastructure management of the inode security > blob > > Move management of the inode->i_security blob out > of the individual

Re: Anyone using the SELinux test suite on Fedora 28?

It's been running fine for me. Maybe you just need to clean your tree and do a fresh make test. On Mon, May 14, 2018, 7:37 PM Casey Schaufler wrote: > Has anyone had success with the SELinux test suite on Fedora 28? > I find the chcon and newrole are unhappy with the

Re: [PATCH] selinux: add AF_UNSPEC and INADDR_ANY checks to selinux_socket_bind()

On 05/09/2018 11:01 AM, Paul Moore wrote: > On Wed, May 9, 2018 at 8:37 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: >> On 05/08/2018 08:25 PM, Paul Moore wrote: >>> On Tue, May 8, 2018 at 2:40 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: >>>>

[PATCH] libsepol: cil: prevent stack buffer overflow in cil_expr_to_string

Fix the test to prevent overflowing the stack buffer for boolean expressions. Signed-off-by: Stephen Smalley <s...@tycho.nsa.gov> --- libsepol/cil/src/cil_tree.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libsepol/cil/src/cil_tree.c b/libsepol/cil/src/cil_tree.c

Re: [PATCH] selinux: add AF_UNSPEC and INADDR_ANY checks to selinux_socket_bind()

On 05/08/2018 08:25 PM, Paul Moore wrote: > On Tue, May 8, 2018 at 2:40 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: >> On 05/08/2018 01:05 PM, Paul Moore wrote: >>> On Tue, May 8, 2018 at 10:05 AM, Alexey Kodanev >>> <alexey.koda...@oracle.com> wrote:

Re: Loopback TCP connection

On 04/27/2018 10:23 AM, Troels Arvin wrote: > Hello, > > RHEL/CentOS 7.4 was rather disastrous for Tomcat users, because lots of > things which used to work suddenly broke, due to a new SELinux policy for > Tomcat. RHEL 7.5 has fixed most of it, because a number of commits allowed > Tomcat to

ANN: SELinux userspace 2.8-rc3 release candidate

and git shortlog output since the 2.7 release. If there are further items we should mention or if something should be amended in the release notes, let us know. Thanks to all the contributors to this release candidate! A shortlog of changes since the 2.8-rc2 release candidate is below. Stephen

Re: [PATCH] python/semanage/seobject.py: Fix undefined store check

On 05/04/2018 07:51 AM, Petr Lautrbach wrote: > From: Vit Mojzis > > self.store is always a string (actual store name or "") because of > semanageRecords.__init__. Fix check for not defined store. > > Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1559174#c3 > >

Re: [PATCH 0/4] Fix build warnings with gcc 8

On 05/03/2018 02:48 PM, Stephen Smalley wrote: > I encountered a number of build warnings on the selinux userspace > using gcc 8, which is the default now in F28 and rawhide. This fixes > the ones that are treated as fatal errors by default. There are still > known warnings due

[PATCH] libsemanage: prevent string overflow on final paths

(). Signed-off-by: Stephen Smalley <s...@tycho.nsa.gov> --- libsemanage/src/semanage_store.c | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c index bce648c4..f1984c50 100644 --- a/libsemana

Re: [PATCH] selinux: add AF_UNSPEC and INADDR_ANY checks to selinux_socket_bind()

On 05/08/2018 01:05 PM, Paul Moore wrote: > On Tue, May 8, 2018 at 10:05 AM, Alexey Kodanev > wrote: >> Commit d452930fd3b9 ("selinux: Add SCTP support") breaks compatibility >> with the old programs that can pass sockaddr_in with AF_UNSPEC and >> INADDR_ANY to bind().

Re: Last call for selinux userspace 2.8 release

On 05/04/2018 09:26 AM, Dominick Grift wrote: > On Fri, May 04, 2018 at 09:08:36AM -0400, Stephen Smalley wrote: >> On 05/04/2018 03:55 AM, Jason Zaman wrote: >>> On Thu, May 03, 2018 at 10:52:24AM -0400, Stephen Smalley wrote: >>>> Hi, >>>> >>&g

Re: Last call for selinux userspace 2.8 release

On 05/04/2018 03:55 AM, Jason Zaman wrote: > On Thu, May 03, 2018 at 10:52:24AM -0400, Stephen Smalley wrote: >> Hi, >> >> If you have encountered any unreported problems with the 2.8-rcX releases or >> have any >> pending patches you believe should be included in

Re: Last call for selinux userspace 2.8 release

On 05/04/2018 08:19 AM, Dominick Grift wrote: > On Thu, May 03, 2018 at 10:52:24AM -0400, Stephen Smalley wrote: >> Hi, >> >> If you have encountered any unreported problems with the 2.8-rcX releases or >> have any >> pending patches you believe should be in

Re: [RFC PATCH 1/1] selinux-testsuite: Add binder tests

On 05/15/2018 04:25 AM, Richard Haines via Selinux wrote: > Add binder tests. See tests/binder/test_binder.c for details on > message flows to test security_binder*() functions. > > Signed-off-by: Richard Haines > --- > README.md | 8 + >

Re: Anyone using the SELinux test suite on Fedora 28?

On 05/15/2018 08:28 AM, Stephen Smalley wrote: > On 05/14/2018 08:10 PM, Casey Schaufler wrote: >> On 5/14/2018 4:48 PM, Stephen Smalley wrote: >>> It's been running fine for me. Maybe you just need to clean your tree and >>> do a fresh make test. >> >> Did

Re: [RFC PATCH 1/1] selinux-testsuite: Add binder tests

On 05/15/2018 09:36 AM, Stephen Smalley wrote: > On 05/15/2018 04:25 AM, Richard Haines via Selinux wrote: >> Add binder tests. See tests/binder/test_binder.c for details on >> message flows to test security_binder*() functions. >> >> Signed-off-by: Richard Haines <r

Re: [RFC PATCH 0/1] selinux-testsuite: Add binder tests

On 05/15/2018 04:25 AM, Richard Haines via Selinux wrote: > Not sure how useful this is but saw [1] and thought I'll have a go out > of idle curiosity. I haven't looked at the code yet but I'm in favor of adding it - this should help prevent regressions in the binder SELinux checks in upstream

Re: [PATCH 00/23] LSM: Full security module stacking

On 05/14/2018 05:31 PM, Casey Schaufler wrote: > On 5/14/2018 1:07 PM, Stephen Smalley wrote: >> On 05/14/2018 03:52 PM, Stephen Smalley wrote: >>> On 05/10/2018 08:30 PM, Casey Schaufler wrote: >>>> Subject: [PATCH 00/23] LSM: Full security module stacking >&g

Re: Anyone using the SELinux test suite on Fedora 28?

On 05/14/2018 08:10 PM, Casey Schaufler wrote: > On 5/14/2018 4:48 PM, Stephen Smalley wrote: >> It's been running fine for me. Maybe you just need to clean your tree and do >> a fresh make test. > > Did that first thing. > > Digging down, I find that the "

Re: Re: [RFC PATCH] selinux-testsuite: check the "expand-check" setting in semanage.conf

On 05/16/2018 03:31 AM, Petr Lautrbach wrote: > On Tue, May 15, 2018 at 05:03:42PM -0400, Paul Moore wrote: >> From: Paul Moore >> >> If expand-check is non-zero in semanage.conf the policy load will likely >> fail, >> try to provide a more helpful error to users running the

Re: [RFC PATCH 1/1] selinux-testsuite: Add binder tests

On 05/15/2018 01:34 PM, Richard Haines wrote: > On Tue, 2018-05-15 at 12:56 -0400, Stephen Smalley wrote: >> On 05/15/2018 12:38 PM, Stephen Smalley wrote: >>> On 05/15/2018 09:43 AM, Stephen Smalley wrote: >>>> On 05/15/2018 09:36 AM, Stephen Smalley wrote: >

Re: [RFC PATCH 1/1] selinux-testsuite: Add binder tests

On 05/15/2018 09:43 AM, Stephen Smalley wrote: > On 05/15/2018 09:36 AM, Stephen Smalley wrote: >> This test is failing for me (with or without -v): >> # ./test -v >> 1..6 >> Manager PID: 5608 Process context: >> unconfined_u:unconfined_r:test_binder_mgr_t:s

Re: [RFC PATCH 1/1] selinux-testsuite: Add binder tests

On 05/15/2018 12:38 PM, Stephen Smalley wrote: > On 05/15/2018 09:43 AM, Stephen Smalley wrote: >> On 05/15/2018 09:36 AM, Stephen Smalley wrote: >>> This test is failing for me (with or without -v): >>> # ./test -v >>> 1..6 &

Re: [PATCH] policycoreutils: fixfiles: failure to create /.autorelabel is fatal

On 05/12/2018 08:43 AM, Alan Jenkins wrote: > Fix the following ambiguous output (from booting with init=/bin/sh): > > # /usr/sbin/fixfiles onboot > /usr/sbin/fixfiles: line 313: /.autorelabel: Read-only file system > /usr/sbin/fixfiles: line 317: /.autorelabel: Read-only file system

Re: [RFC V3 PATCH 1/1] selinux-testsuite: Add binder tests

On 05/21/2018 01:02 PM, Stephen Smalley wrote: > On 05/21/2018 12:33 PM, Richard Haines wrote: >> Add binder tests. See tests/binder/test_binder.c for details on >> message flows to test security_binder*() functions. > > Breaks the build on RHEL7 since /usr/include/linux/

Re: [RFC V2 PATCH 1/1] selinux-testsuite: Add binder tests

On 05/20/2018 02:25 PM, Richard Haines wrote: > Add binder tests. See tests/binder/test_binder.c for details on > message flows to test security_binder*() functions. Every test fails for me with: create_shm shm_open: Permission denied create_shm shm_open: No such file or directory and denials of

Re: [RFC V3 PATCH 1/1] selinux-testsuite: Add binder tests

On 05/21/2018 12:33 PM, Richard Haines wrote: > Add binder tests. See tests/binder/test_binder.c for details on > message flows to test security_binder*() functions. Breaks the build on RHEL7 since /usr/include/linux/android/binder.h does not exist and is not provided by any package. On F28

Re: [RFC V2 PATCH 1/1] selinux-testsuite: Add binder tests

On 05/20/2018 02:25 PM, Richard Haines wrote: > Add binder tests. See tests/binder/test_binder.c for details on > message flows to test security_binder*() functions. Also, it breaks the policy build on RHEL/CentOS 7, due to map permission not being defined. You need to use the allow_map() macro

Re: [RFC V4 PATCH 1/1] selinux-testsuite: Add binder tests

d properly skipped on earlier Fedora/RHEL. Acked-by: Stephen Smalley <s...@tycho.nsa.gov> > --- > README.md | 8 + > defconfig | 7 + > policy/Makefile | 4 + > policy/test_binder.te | 120 +++ > tests/Makefile

Re: [RFC V4 PATCH 0/1] selinux-testsuite: Add binder tests

On 05/22/2018 09:53 AM, Stephen Smalley wrote: > On 05/22/2018 09:11 AM, Stephen Smalley wrote: >> On 05/22/2018 09:01 AM, Stephen Smalley wrote: >>> On 05/22/2018 07:37 AM, Richard Haines wrote: >>>> Could you try this version where I've packed the transaction st

Re: [RFC V4 PATCH 0/1] selinux-testsuite: Add binder tests

On 05/22/2018 09:01 AM, Stephen Smalley wrote: > On 05/22/2018 07:37 AM, Richard Haines wrote: >> Could you try this version where I've packed the transaction structures. >> I could not get the tests to fail on my two systems (but then V3 didn't). > > Hmmm...I saw one

Re: [RFC V4 PATCH 0/1] selinux-testsuite: Add binder tests

On 05/22/2018 09:11 AM, Stephen Smalley wrote: > On 05/22/2018 09:01 AM, Stephen Smalley wrote: >> On 05/22/2018 07:37 AM, Richard Haines wrote: >>> Could you try this version where I've packed the transaction structures. >>> I could not get the tests to fail on my two

Re: [RFC V4 PATCH 0/1] selinux-testsuite: Add binder tests

On 05/22/2018 07:37 AM, Richard Haines wrote: > Could you try this version where I've packed the transaction structures. > I could not get the tests to fail on my two systems (but then V3 didn't). Hmmm...I saw one instance of a failure in test 6 when running ./test by hand but am now having

Re: Selinux load_policy command on chrooted partition is loading policy on active partition

On 05/25/2018 04:08 AM, bhawna goel wrote: > Hi Team, > > We are facing an issue with load_policy command on Centos 7.4.. Need to > understand what it exactly does. > > We have Centos 7.4 machine which have two partitions . > Ist partition (partA) have all the policies with unconfined and when

Re: Selinux load_policy command on inactive partition is loading policy on active partition

On 05/24/2018 01:48 AM, shagun maheshwari wrote: > Hi, > > We have done changes in our Centos7.4 to disable the unconfined user from our > code. We have created an iso in which we have replaced unconfined with sysadm > and we are performing an upgrade using the new iso.  > After upgrade current

ANN: SELinux userspace release 20180524 / 2.8

The 20180524 / 2.8 release for the SELinux userspace is now available at: https://github.com/SELinuxProject/selinux/wiki/Releases A github release has also been created at: https://github.com/SELinuxProject/selinux/releases/tag/20180524 In the future, we will likely stop hosting the releases on

Re: [Bug][KASAN] crash in xattr_getsecurity()

On 05/24/2018 02:12 AM, Sachin Grover wrote: > Hi, > > Kernel panic is coming on calling lgetxattr() sys api with random user space > value. > > [   25.833951] Call trace: > [   25.833954] [] dump_backtrace+0x0/0x2a8 > [   25.833957] [] show_stack+0x20/0x28 > [   25.833959] []

Re: SELinux musl support

On 05/18/2018 01:03 AM, Jason Zaman wrote: > On Thu, May 17, 2018 at 09:22:01PM +0200, Nicolas Iooss wrote: >> On Thu, May 17, 2018 at 7:11 AM, Jason Zaman wrote: >>> This series fixes compiling and running on musl libc. >>> >>> patches 1-2 are fairly trivial. >>> >>> patches

Re: ANN: SELinux userspace 2.8-rc3 release candidate

e we can make a final 2.8 release anytime. If anyone objects, speak up now. > > On Thu, May 10, 2018 at 11:20:01AM -0400, Stephen Smalley wrote: >> A 2.8-rc3 release candidate for the SELinux userspace is now available at: >> https://github.com/SELinuxProject/selinux/wiki/Releases

Re: is_selinux_enabled() after chroot()

On 06/18/2018 03:24 PM, Petr Lautrbach wrote: > Hello, > > libselinux sets selinut_mnt and has_selinux_config only in its constructor and > is_selinux_enabled() and others just use selinux_mnt to check if SELinux is > enabled. But it doesn't work correctly when you use chroot() to a directory >

Re: 'setsebool -P' works but throws errors; changes not permanent

On 06/18/2018 03:44 PM, Mike Hughes wrote: > We use Yubikey for two-factor ssh authentication which requires enabling a > Boolean called “authlogin_yubikey”. It has been working fine until a few > weeks ago. Errors appear when attempting to set the policy: > >   > > -- > >

Re: [PATCH 1/1] scripts: add a helper script to run clang's static analyzer

On 06/09/2018 04:08 PM, Nicolas Iooss wrote: > Using clang's static analyzer is as simple as running "scan-build make", > but in order to obtain clean and reproducible results, the build > environment has to be cleaned beforehand ("make clean distclean"). > > Moreover the project requires running

Re: [PATCH 3/3] libsepol/cil: use a colon instead of a semicolon to report rc

On 06/09/2018 03:30 PM, Nicolas Iooss wrote: > Signed-off-by: Nicolas Iooss Thanks, applied all three. > --- > libsepol/cil/src/cil_resolve_ast.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libsepol/cil/src/cil_resolve_ast.c > b/libsepol/cil/src/cil_resolve_ast.c

Re: fixfiles and load_policy moved from /sbin to /usr/sbin

On 05/29/2018 02:28 PM, Stephen Smalley wrote: > On 05/29/2018 11:19 AM, Laurent Bigonville wrote: >> Hello, >> >> While packaging policycoreutils 2.8 I've seen that the fixfiles and >> load_policy executables were moved from /sbin to /usr/sbin >> >> Any

Re: fixfiles and load_policy moved from /sbin to /usr/sbin

On 05/29/2018 11:19 AM, Laurent Bigonville wrote: > Hello, > > While packaging policycoreutils 2.8 I've seen that the fixfiles and > load_policy executables were moved from /sbin to /usr/sbin > > Any reasons for this? This seems to me like an involuntary side effect of the > cleanup for

Re: [PATCH] selinux: KASAN: slab-out-of-bounds in xattr_getsecurity

On 05/30/2018 11:19 AM, Paul Moore wrote: > On Fri, May 25, 2018 at 4:31 AM, Sachin Grover wrote: >> Call trace: >> [] dump_backtrace+0x0/0x428 >> [] show_stack+0x28/0x38 >> [] dump_stack+0xd4/0x124 >> [] print_address_description+0x68/0x258 >> [] kasan_report.part.2+0x228/0x2f0 >> []

Re: [PATCH V3 0/5] selinux:Significant reduce of preempt_disable holds

On 05/30/2018 10:10 AM, Peter Enderborg wrote: > Holding the preempt_disable is very bad for low latency tasks > such as audio and therefore we need to break out the rule-set dependent > part from this disable. By using a RCU instead of rwlock we > have an efficient locking and less preemption

Re: [PATCH V3 0/5] selinux:Significant reduce of preempt_disable holds

On 05/31/2018 05:04 AM, peter enderborg wrote: > On 05/30/2018 10:34 PM, Stephen Smalley wrote: >> On 05/30/2018 10:10 AM, Peter Enderborg wrote: >>> The boolean change becomes a lot more heavy with this patch, >>> but it is a very rare usage in compare with read only op

Re: Invalid security context while executing audit2alllow.orig

On 05/29/2018 07:39 AM, bhawna goel wrote: > Hi Team, > > We are getting below error while creating policies using command > audit2allow.orig. Can you help in identifying what could be the possible > reason of such error. > > Error: > libsepol.context_from_record: invalid security context: >

Re: [PATCH V3 0/5] selinux:Significant reduce of preempt_disable holds

On 05/31/2018 10:21 AM, Stephen Smalley wrote: > On 05/31/2018 10:12 AM, peter enderborg wrote: >> On 05/31/2018 02:42 PM, Stephen Smalley wrote: >>> On 05/31/2018 05:04 AM, peter enderborg wrote: >>>> On 05/30/2018 10:34 PM, Stephen Smalley wrote: >>>>

Re: BTRFS losing SE Linux labels on power failure or "reboot -nffd".

On 06/01/2018 09:03 AM, Russell Coker via Selinux wrote: > The command "reboot -nffd" (kernel reboot without flushing kernel buffers or > writing status) when run on a BTRFS system will often result in > /var/log/audit/audit.log being unlabeled. It also results in some > systemd-journald files

Re: [PATCH 4/4] policycoreutils/hll/pp: remove unused variable

On 06/03/2018 12:25 PM, Nicolas Iooss wrote: > pp's main() never set outfd to anything else than -1 so there is no > point in closing it. Thanks, applied all four patches. > > Signed-off-by: Nicolas Iooss > --- > policycoreutils/hll/pp/pp.c | 7 --- > 1 file changed, 7 deletions(-) > >

Re: [PATCH V3 0/5] selinux:Significant reduce of preempt_disable holds

On 05/31/2018 10:12 AM, peter enderborg wrote: > On 05/31/2018 02:42 PM, Stephen Smalley wrote: >> On 05/31/2018 05:04 AM, peter enderborg wrote: >>> On 05/30/2018 10:34 PM, Stephen Smalley wrote: >>>> On 05/30/2018 10:10 AM, Peter Enderborg wrote: >>>>>

Re: [PATCH] python/semanage: Stop logging loginRecords changes

On 06/18/2018 01:22 PM, Vit Mojzis wrote: > semanage_seuser_modify_local and semanage_seuser_del_local already do > the logging. > Moreover, semanage log for loginRecords.__add was flawed since it > reported old-{seuser,role,range} of default user instead of None. This > was caused by

Re: [PATCH] selinux: move user accesses in selinuxfs out of locked regions

; > Cc: sta...@vger.kernel.org > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Signed-off-by: Jann Horn Only question I have is wrt the Fixes line, i.e. was this an issue until userfaultfd was introduced, and if not, do we need it to be back-ported any further than the commit which i

Re: [PATCH] selinux: move user accesses in selinuxfs out of locked regions

On 06/26/2018 08:42 AM, Jann Horn wrote: > On Tue, Jun 26, 2018 at 2:15 PM Stephen Smalley wrote: >> >> On 06/25/2018 12:34 PM, Jann Horn wrote: >>> If a user is accessing a file in selinuxfs with a pointer to a userspace >>> buffer that is backed by e.g. a user

<    5   6   7   8   9   10   11   12   >